HTTPCLIENT-2302: Add comment to TrustStrategy usage in examples (#492)

2023-10-12 12:24:28 +02:00 · 2023-10-12 12:24:28 +02:00 · 19f3922b37
parent 9c83250ab4
commit 19f3922b37
2 changed files with 14 additions and 0 deletions
--- a/httpclient5/src/test/java/org/apache/hc/client5/http/examples/AsyncClientCustomSSL.java
+++ b/httpclient5/src/test/java/org/apache/hc/client5/http/examples/AsyncClientCustomSSL.java
@ -59,7 +59,14 @@ public class AsyncClientCustomSSL {
    public static void main(final String[] args) throws Exception {
        // Trust standard CA and those trusted by our custom strategy
        final SSLContext sslContext = SSLContexts.custom()
+                // Custom TrustStrategy implementations are intended for verification
+                // of certificates whose CA is not trusted by the system, and where specifying
+                // a custom truststore containing the certificate chain is not an option.
                .loadTrustMaterial((chain, authType) -> {
+                    // Please note that validation of the server certificate without validation
+                    // of the entire certificate chain in this example is preferred to completely
+                    // disabling trust verification, however this still potentially allows
+                    // for man-in-the-middle attacks.
                    final X509Certificate cert = chain[0];
                    return "CN=httpbin.org".equalsIgnoreCase(cert.getSubjectDN().getName());
                })
--- a/httpclient5/src/test/java/org/apache/hc/client5/http/examples/ClientCustomSSL.java
+++ b/httpclient5/src/test/java/org/apache/hc/client5/http/examples/ClientCustomSSL.java
@ -55,7 +55,14 @@ public class ClientCustomSSL {
    public final static void main(final String[] args) throws Exception {
        // Trust standard CA and those trusted by our custom strategy
        final SSLContext sslContext = SSLContexts.custom()
+                // Custom TrustStrategy implementations are intended for verification
+                // of certificates whose CA is not trusted by the system, and where specifying
+                // a custom truststore containing the certificate chain is not an option.
                .loadTrustMaterial((chain, authType) -> {
+                    // Please note that validation of the server certificate without validation
+                    // of the entire certificate chain in this example is preferred to completely
+                    // disabling trust verification, however this still potentially allows
+                    // for man-in-the-middle attacks.
                    final X509Certificate cert = chain[0];
                    return "CN=httpbin.org".equalsIgnoreCase(cert.getSubjectDN().getName());
                })